Re: Moving devices across VLANs

angel-moon · ‎10-03-2019

Hello,

If I use ICE to restrict access (what ports they communicate on, who can talk to them, etc) to certain devices while they are in VLAN 200 will I have to redo those rules from the ground up if I move those devices into VLAN 201?

Thanks in advance!

All replies rated.

Mike.Cifelli · ‎10-03-2019

I would recommend checking out the admin guide and/or free tutorials on labminutes.com/security to gain additional information. However, to answer your question you can create one DACL under Policy->Policy Elements->Results->Authorization-> Downloadable ACLs and then create two separate authorization profiles that assign the respective vlan and the same dacl. Then you would obviously build your authz conditions in your policy set to match on each respective vlan and assign the corresponding authz profile you created for each vlan. Note that there is a lot more from a config standpoint on the switch side that needs to be in place in order for this work. Good luck & HTH!

Colby LeMaire · ‎10-03-2019

I assume you are referring to downloadable ACL's (dACL). That would be the only way ISE can restrict access like that. In that case, it depends on how you write your ACL. If you are allowing traffic to IP's and ports outside of the VLAN, then nothing should change there. If you are trying to restrict a user from communicating with another machine on the same VLAN, then that may have to change. For example, let's say VLAN 200 is 192.168.200.x and VLAN 201 is 192.168.201.x. You want to prevent a user on VLAN 200 from talking to other users on VLAN 200. That ACL entry may be "deny ip any 192.168.200.0 0.0.0.255". If you then move to VLAN 201, then you would also have to have an entry to cover the new subnet. Just really depends on what you are looking to accomplish.